Apply List-Based Access Control
Once authentication is enabled both on the API and consumer sides, consumers will gain access to all APIs using the same authentication plugin. However, in certain scenarios, it requires a more precise access control for APIs. This means that even if a consumer has enabled the appropriate authentication plugin, the consumer must also be on a whitelist to access the API. Each API will have its own distinct whitelist or blacklist.
This tutorial guides you through the process of creating a consumer whitelist to manage access control through the consumer-restriction
plugin.
Prerequisites
- Obtain a user account with Super Admin or API Provider role.
- Publish a service.
- Set up API authentication.
- Manage consumer credentials.
Restricted by Consumer Name
When receiving an API request, API7 Enterprise Edition extracts the credentials and looks up the consumer's name. Therefore, the route does not need to directly recognize the credentials. It uses the consumer's name, which is more user-friendly.
Since plugin configurations are not considered Runtime Configurations, you should modify it in the service template and then publish a new version to the gateway group.
Select Services from the side navigation bar and then select Swagger Petstore.
Select Plugins from the side navigation bar.
In the Plugins field, search the
consumer-restriction
plugin.Click the Plus icon (+) and a dialog box appears.
Apply the following configurations:
{
"whitelist": [
"Alice"
]
}Click Enable.
You can also enable the
consumer-restriction
plugin at the service level to impact all routes if those routes share the same whitelist.
Validate
Add a new consumer
Lisa
and enable thekey-auth
plugin with the following configuration.{
"key": "secret-key2"
}Use the key of
Alice
for the API requests:curl -i "http://127.0.0.1:9080/pet/1" -H "apikey: secret-key"
You should see the following output:
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 323
Connection: keep-alive
Date: Fri, 01 Sep 2023 07:00:09 GMT
x-srv-trace: v=1;t=569591aa680bb202
x-srv-span: v=1;s=b5cbb398895e3f13
Access-Control-Allow-Origin: *
X-RateLimit-Limit: 120
X-RateLimit-Remaining: 119
X-RateLimit-Reset: 1693551669
ETag: W/"143-JIrwO+Sx1/7FTTpJ2ljwAfgaRCY"
Vary: Accept-Encoding
Server: APISIX/dev
{
"name": "Dog",
"photoUrls": [
"https://example.com/dog-1.jpg",
"https://example.com/dog-2.jpg"
],
"id": 1,
"category": {
"id": 1,
"name": "pets"
},
"tags": [
{
"id": 1,
"name": "friendly"
},
{
"id": 2,
"name": "smart"
}
],
"status": "available"
}Use the key of
Lisa
for the API requests:curl -i "http://127.0.0.1:9080/pet/1" -H "apikey: secret-key2"
You should see the following output:
HTTP/1.1 403 Forbidden
Date: Fri, 01 Sep 2023 07:00:05 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: APISIX/dev
{"message":"The consumer_name is forbidden."}